Menu
▾
▴
[Unity-idm-discuss] Improvements MFA
|
From: Sander A. <sa....@fz...> - 2023-01-25 07:56:34
|
Hi Krzysztof, for the usage of MFA we want to provide some feedback. Some of this things you already know. - If OTP is wrong I have to redo the whole authentication. This feels a little bit annoying. On other platforms you just have to reenter the OTP, but not username & password. - Signalling MFA usage to SPs in common ways. There are already some common ways to signal the usage of MFA usage to services. This are the AuthnContextClassRef in SAML and the acr claim in OIDC. It would be great if this is supported by unity, too. - Proxying the MFA information from upstream IdP. If the upstram IdP already enables MFA and send the usage to services, MFA at unity does not increase the security anymore. Especially it the second factor is the same OTP generator. So it would be greate if there is a way to transfer the information to the SPs of unity. I know we can build a workaround but as you already mentioned storing information in unity to session bound attributes is not the best way. - If the user enables MFA in unity but the upstream IdP already preformed MFA, is would be great if there is a way for admins to configure if unity performs MFA or not and just proxies the information. As mentioned before there is no benefit if the second factor is the same. - Have an additional authentication flow policy "step_up" which does not fall back to never, if the user has no MFA configured, but just prohibits the operation/login. - Have different session lifetime for user who performed MFA. Since the MFA gives a better trust about the user account is not compromised, it would be nice if we can increase the session time for those user who authenticated with MFA. This would be a benefit for those, who are doing the additional step. I know some of them are not easy or fast solvable, but I hope all are doable in the future. What do you think about these points? Please let me know if some of them are unclear. Best regars, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens, Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
